I saw a notice in the 2.5 release notes and I read through the June ’16 conversation about the elasticsearch plugin. I wanted to add my $0.02. For people whom are trying to analyze large traffic flows it becomes imperative to not rely on the disk subsystem for transport. Our current flow looks like:
Bro -> NSQ -> Logstash-> ElasticSearch
We tried to use the Redis plugin first but it was not built in a way that makes it possible to use with Logstash (I have two or three open issues on github). Moving to NSQ was the only way we could really deploy the service. I’m open to switching to a different messaging broker, but I think it is a bit over-ambitious to deprecate a plugin that works perfectly well (for NSQ at least) without having a viable alternative (RELP, a better Redis plugin, a dedicated NSQ plugin).
Thanks
- Munroe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160912/2679a8f6/attachment.bin